The CBI Group
QVC is one of the world’s leading multimedia retailers, reaching millions of customers around the globe each day on-air, on-line, and through mobile. Information security is a priority for us and we are looking for a Senior Applications Vulnerability Analyst to support Enterprise Applications that will work closely with multiple teams to assure the security of applications programmed by the development teams. This position is based outside of Philadelphia at QVC Founders Park location in West Chester, PA.
The collaborates with the IT Application Development team to provide guidance regarding secure code development to meet specific security requirements and to ensure that the secure software development lifecycle (SDLC) program is followed.
Components of this role include but are not limited to:
· Review source code and perform vulnerability testing of web application using tools such as IBM AppScan, HP Fortify, Whitehat, CoreSecurity Core Impact, Rapid7 Nexpose, and Burp.
· Analyze enterprise application systems and data flow.
· Assess effectiveness of security controls and report risk to development team.
· Remain informed of new cyber threat techniques used to target enterprise systems and programs.
· Report to management recurring risk, vulnerabilities and other security exposures, including misuse of information assets and noncompliance with the SDLC.
· Advise information security and application development leadership regarding strategies to promote secure coding practices to address identified risks.
· Maintain risk register and routinely update management.
· Coordinate security training for new and existing development staff.
· Update information security development documentation as described in the SDLC.
· Advise release management team on quality control issues causing security risk.
· Collaborate on application development projects to ensure that security issues are addressed throughout the project life cycle.
· Develop application security processes and procedures, and supports service-level agreements (SLAs) to ensure that application security controls are managed and maintained.
· Work within the information security governance and SDLC process to monitor implementation of security controls.
· Provide support and guidance with audit finding remediation, including generating requirements for full remediation, providing support and feedback on tracking progress and providing status and updates to the information security team for escalation to the enterprise compliance team for reporting purposes.
· Work with vendor and IT staff to maintain application vulnerability testing tools.
· Assist with monitoring and implementing security development operations standards for security applications, including policy assessment and compliance tools, network security appliances, and host-based security systems.
· Benchmark application security testing practices against authoritative standards (e.g., OWASP and SANS) as well as regulatory obligations (e.g., PCI, HIPPA, etc.).
· Build consensus with peers and internal customer.
· Seek guidance from project management office regarding integration of security services.
· Support e-discovery and incident handling efforts including identification, collection, preservation, and processing of relevant data.
· Interact with QVC's personnel at all levels and across all business units to advance security initiatives, communicate risk findings, and advance improvement.
· Familiarity with web application development platforms and sound understanding of security principles, such as network security, identity and access management, vulnerability management, and secure coding.
· Advanced knowledge of secure coding practices based on OWASP and SANS.
· Experience with common information security management frameworks, such as International Organization for Standardization (ISO) 2700x, ITIL, COBIT and National Institute of Standards and Technology (NIST) frameworks.
· In-depth knowledge of web application security assessment tools such as IBM AppScan, HP Fortify, Whitehat, CoreSecurity Core Impact, Rapid7 Nexpose, and Burp.
· Bachelor’s Degree in Computer Science or equivalent network security engineering experience.
· 5+ years with application level penetration testing, manual & automated code review, or secure enterprise application software development
· Experience developing and documenting application security architecture and data flow plans using Visio, MS Word, MS Excel, etc.
· Experience performing application risk, business impact, security control, and vulnerability assessments.
· Experience developing, documenting and maintaining security policies, processes, procedures and standards.
· Familiarity with network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.
· Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
· Industry Standard Security certifications including: SANS, CEH, CISA, CISSP, and CSSLP.
· Participation in SANS Netwars or similar cyber range tournament.
· Experience programming in C or Java.